Description

The getauthattr() and getauthnam() functions each return an auth_attr(4) entry. Entries can
come from any of the sources specified in the nsswitch.conf(4) file.

The getauthattr() function enumerates auth_attr entries. The getauthnam() function searches for an
auth_attr entry with a given authorization name name. Successive calls to these
functions return either successive auth_attr entries or NULL.

Th internal representation of an auth_attr entry is an authattr_t structure defined
in <auth_attr.h> with the following members:

The setauthattr() function “rewinds” to the beginning of the enumeration of auth_attr
entries. Calls to getauthnam() can leave the enumeration in an indeterminate
state. Therefore, setauthattr() should be called before the first call to getauthattr().

The endauthattr() function may be called to indicate that auth_attr processing is
complete; the system may then close any open auth_attr file, deallocate storage,
and so forth.

The chkauthattr() function verifies whether or not a user has a given
authorization. It first reads the user_attr(4) database and returns 1 if it finds
a match for the given authorization. If it does not find a
match in user_attr, chkauthattr() reads the prof_attr(4) database using the list
of profiles assigned to the user and checks if any of the
profiles assigned to the user has the given authorization. When chkauthattr() finds
a profile called “Stop”, further profiles are ignored, the authorizations and profiles mentioned
in /etc/security/policy.conf are ignored and it returns 0. If it does not
find a match in the user's profiles, chkauthattr() reads the AUTHS_GRANTED key
in the /etc/security/policy.conf file and returns 1 if it finds a match for the
given authorization. If chkauthattr() does not find a match and the username
is the name of the “console user”, defined as the owner of
/dev/console, it first reads the CONSOLE_USER key in /etc/security/policy.conf and returns 1 if
the given authorization is in any of the profiles specified in the
CONSOLE_USER keyword, then reads the PROFS_GRANTED key in /etc/security/policy.conf and returns 1
if the given authorization is in any profiles specified with the PROFS_GRANTED keyword.
The chkauthattr() function returns 0 if it does not find a match
in any of the three sources or if the user does not
exist.

Authorization names consist of a hierarchical set of dot (.)-separated words, called
the predicate, and an optional object qualifier preceded by a slash character
(/). Authorizations listed in user_attr and prof_attr may contain an asterisk (*)
following the final dot in the predicate to indicate a wildcard. The reserved
word grant, used for delegating authorizations, is not matched by *.

A user is considered to have been assigned an authorization if all
of the following are true:

The authorization name matches exactly any authorization assigned in the user_attr or prof_attr databases (authorization names are case-sensitive).

The predicate of authname matches the predicate of an authorization completely, or the predicate does not end in grant and matches up to the * if present.

The authorization name suffix is not the key word grant and the authorization name matches any authorization up to the asterisk (*) character assigned in the user_attr or prof_attr databases.

If the authorization includes an object qualifier, then authname must include the same object qualifier.

The examples in the following table illustrate the conditions under which a
user is assigned an authorization.

/etc/security/policy.conf or

Is user

Authorization name

user_attr or prof_attr entry

authorized?

solaris.printer.postscript

solaris.printer.postscript

Yes

solaris.printer.postscript

solaris.printer.*

Yes

solaris.printer.grant

solaris.printer.*

No

solaris.zone.login/z1

solaris.zone.*

Yes

solaris.zone.login

solaris.zone.*/z1

No

The free_authattr() function releases memory allocated by the getauthnam() and getauthattr()
functions.

Return Values

The getauthattr() function returns a pointer to an authattr_t if it
successfully enumerates an entry; otherwise it returns NULL, indicating the end of
the enumeration.

The getauthnam() function returns a pointer to an authattr_t if it
successfully locates the requested entry; otherwise it returns NULL.

The chkauthattr() function returns 1 if the user is authorized and 0
if the user does not exist or is not authorized.

Usage

The getauthattr() and getauthnam() functions both allocate memory for the pointers they
return. This memory should be deallocated with the free_authattr() call.

Individual attributes in the attr structure can be referred to by calling
the kva_match(3C) function.

Warnings

Because the list of legal keys is likely to expand, code
must be written to ignore unknown key-value pairs without error.